[英]OkHttp3 - unable to find valid certification path to requested target
在我的應用程序中,我使用 Retrofit2(2.9.0) 和 OkHttp3(3.14.4)。 我想將 tls 客戶端證書添加到我對某些 api 的所有請求中。 我在.p12文件中獲得了證書。 我讀了文件,加載到 X509Certificate class 然后我使用了.addTrustedCertificate(certificate)方法。 證書是正確的,我使用 curl 進行了嘗試。 不幸的是,當我運行代碼時出現異常。
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:641)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:460)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:213)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
at okhttp3.RealCall.execute(RealCall.java:81)
at retrofit2.OkHttpCall.execute(OkHttpCall.java:204)
at com.jakewharton.retrofit2.adapter.reactor.ExecuteSinkConsumer.accept(ExecuteSinkConsumer.java:39)
at com.jakewharton.retrofit2.adapter.reactor.ExecuteSinkConsumer.accept(ExecuteSinkConsumer.java:24)
at reactor.core.publisher.FluxCreate.subscribe(FluxCreate.java:94)
at reactor.core.publisher.Flux.subscribe(Flux.java:8143)
at com.jakewharton.retrofit2.adapter.reactor.BodyFlux.subscribe(BodyFlux.java:36)
at reactor.core.publisher.FluxSubscribeOn$SubscribeOnSubscriber.run(FluxSubscribeOn.java:194)
at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:84)
at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:625)
... 47 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 53 more
Process finished with exit code 1
我的代碼看起來像這樣
val fileName = "certyficate.p12"
val file = File(fileName)
val inputStream = file.inputStream()
val p12 = KeyStore.getInstance("pkcs12")
val password = "password"
p12.load(inputStream, password.toCharArray())
val alias = p12.aliases().nextElement()
val certificate = p12.getCertificate(alias) as X509Certificate
val ob = ObjectMapper().registerModule(KotlinModule())
val hostname = "https://myapi.com"
val timeout = 5L
val okHttpClient = OkHttpClient.Builder()
.connectTimeout(timeout, TimeUnit.SECONDS)
.readTimeout(timeout, TimeUnit.SECONDS)
.writeTimeout(timeout, TimeUnit.SECONDS)
.apply {
addInterceptor(HttpLoggingInterceptor().apply {
level = HttpLoggingInterceptor.Level.BODY
})
}
.apply {
val clientCertificate = HandshakeCertificates
.Builder()
.addTrustedCertificate(certificate)
.build()
sslSocketFactory(clientCertificate.sslSocketFactory(), clientCertificate.trustManager())
}
.build()
val retrofit = Retrofit.Builder()
.baseUrl(hostname)
.addCallAdapterFactory(RxJava2CallAdapterFactory.createWithScheduler(
io.reactivex.schedulers.Schedulers.io()
))
.addCallAdapterFactory(ReactorCallAdapterFactory.createWithScheduler(Schedulers.newElastic(
MyApi::class.java.name
)))
.addConverterFactory(JacksonConverterFactory.create(ob))
.client(okHttpClient)
.build()
val p = retrofit.create(MyApi::class.java)
val res = p.doRequest().block()
println(res)
可能的原因是什么? 使用 OkHttp3 時如何正確使用客戶端證書?
編輯后我添加.addPlatformTrustedCertificates()我得到
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:285)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:180)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:213)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
at okhttp3.RealCall.execute(RealCall.java:81)
at retrofit2.OkHttpCall.execute(OkHttpCall.java:204)
at com.jakewharton.retrofit2.adapter.reactor.ExecuteSinkConsumer.accept(ExecuteSinkConsumer.java:39)
at com.jakewharton.retrofit2.adapter.reactor.ExecuteSinkConsumer.accept(ExecuteSinkConsumer.java:24)
at reactor.core.publisher.FluxCreate.subscribe(FluxCreate.java:94)
at reactor.core.publisher.Flux.subscribe(Flux.java:8143)
at com.jakewharton.retrofit2.adapter.reactor.BodyFlux.subscribe(BodyFlux.java:36)
at reactor.core.publisher.FluxSubscribeOn$SubscribeOnSubscriber.run(FluxSubscribeOn.java:194)
at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:84)
at reactor.core.scheduler.WorkerTask.call(WorkerTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
我使用javax.net.debug=ssl,handshake運行並在我的日志中找到
javax.net.ssl|DEBUG|12|my.app.MyApi-2|2021-03-03 14:00:09.656 CET|CertificateMessage.java:290|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|12|my.app.MyApi-2|2021-03-03 14:00:09.656 CET|CertificateMessage.java:321|Produced client Certificate handshake message (
"Certificates": <empty list>
)
還有我的 build.gradle
compile group: 'com.squareup.retrofit2', name: 'retrofit', version: '2.9.0'
compile group: 'com.squareup.retrofit2', name: 'converter-jackson', version: '2.9.0'
compile group: 'com.squareup.retrofit2', name: 'adapter-rxjava2', version: '2.9.0'
compile group: 'com.jakewharton.retrofit', name: 'retrofit2-reactor-adapter', version: '2.1.0'
compile group: 'com.squareup.okhttp3', name: 'okhttp-tls', version: '3.14.4'
val p12 = KeyStore.getInstance("pkcs12").apply {
load(inputStream, password)
}
val clientCert = p12.getCertificateChain(alias)[0] as X509Certificate
val rootCert = p12.getCertificateChain(alias)[1] as X509Certificate
val clientPrivateKey = p12.getKey(alias, password) as PrivateKey
val clientTLSCredentials = HeldCertificate(KeyPair(clientCert.publicKey, clientPrivateKey), clientCert)
val clientTlsHandShake = HandshakeCertificates.Builder()
.heldCertificate(clientTLSCredentials, rootCert)
.addPlatformTrustedCertificates()
.build()
val client = OkHttpClient.Builder()
.sslSocketFactory(clientTlsHandShake.sslSocketFactory(), clientTlsHandShake.trustManager())
.build()
val handshakeCertificates = HandshakeCertificates.Builder()
.addPlatformTrustedCertificates()
.addTrustedCertificate(cert)
.build()
clientBuilder
.sslSocketFactory(handshakeCertificates.sslSocketFactory(),
handshakeCertificates.trustManager)
您應該可以在調試器中查看 SunCertPathBuilderException 中的證書鏈。
這是通用 CertPathBuilderException 的子類。 它包含一個鄰接列表,其中包含有關 SunCertPathBuilder 嘗試的不成功路徑的信息。
最終,您可能需要在 JSSE 中啟用 SSL 調試以查看失敗的原因。
能夠使用 Clyde Barrow 的解決方案來完成這項工作。 這是我的純 Java 解決方案(與克萊德的沒有太大區別)。 這是使用由 Entrust 簽名的客戶端證書和中間證書。
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(new FileInputStream(new File("myKeyStore.jks")), "mypassword".toCharArray());
Certificate[] certificates = keyStore.getCertificateChain("myalias");
X509Certificate clientCertificate = (X509Certificate) certificates[0];
X509Certificate intermediateCertificate = (X509Certificate) certificates[1];
PrivateKey privateKey = (PrivateKey) keyStore.getKey("myalias", "mypassword".toCharArray());
PublicKey publicKey = clientCertificate.getPublicKey();
KeyPair keyPair = new KeyPair(publicKey, privateKey);
HeldCertificate heldCertificate = new HeldCertificate(keyPair, clientCertificate);
HandshakeCertificates.Builder builder =
new HandshakeCertificates.Builder()
.heldCertificate(heldCertificate, intermediateCertificate)
.addPlatformTrustedCertificates();
HandshakeCertificates handshakeCertificates = builder.build();
OkHttpClient okClient =
new OkHttpClient().newBuilder().readTimeout(30, TimeUnit.SECONDS)
.sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager())
.build();
同步gradle時,Android Studio 3.0中出現錯誤。 錯誤:原因:無法找到請求目標的有效證書路徑
[英]Error in android Studio 3.0 when I sync gradle. Error:Cause: unable to find valid certification path to requested target
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.